SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
HOME SECFORCE - penetration testing COMPANY SECFORCE - penetration testing SERVICES SECFORCE - penetration testing RESEARCH SECFORCE - penetration testing BLOG SECFORCE - penetration testing INITIATIVES SECFORCE - penetration testing CONTACT
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
    SECFORCE - penetration testing

Blog ■

SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
    Home : Blog  
SECFORCE - penetration testing SECFORCE - penetration testing
Archive for October, 2008

Penetration testing and risk management – Consultants vs Monkeys

Thursday, October 30th, 2008

There are no doubts that penetration testing is becoming mainstream now. It looks like business are eventually concerned about security. Compared to some years ago the number of companies requesting penetration tests has increased exponentially and therefore the number of companies conducting them has incresed too.

One of the important problems affecting some penetration testing companies is that they conduct penetration tests with a very narrow perspective, they don’t put things into context. I call it monkey work. It is quite easy running an automated vulnerability scanner and produce a nice report. However, vulnerability scanners are not clever enough to know how a specific vulnerability affects a bussiness.

A typical example is XSS vulnerabilities. Depending on the context they can be devastating or just a minor issue. It is up to the penetration tester to decide how important this security issue is for the business. I call it consultant work and it is where risk management comes into the game.

At the end of the day a business man just cares about the business. If he/she is conducting a penetration test it is not due to the pleasure of learning about buffer overflows and injection vulnerabilities – it is because he/she thinks the penetration test is good for the business (due to a number of reasons such as clients trust, compliance, etc.).

Therefore what they really want to know about a security issues is:

  • What is the impact for the business
  • What is the likelihood of happening
  • How can be solved

What they are not interested in is:

  • Why stack protection mechanisms can not protect you from a heap overflow
  • How you control EIP on this exploit
  • Why a fuzzer would have never discovered that vulnerability
  • etc…

MS vulnerabilities and worms

Friday, October 24th, 2008

Time between vulnerability disclosure and worm spread has been drastically reduced.

The MS08-067 vulnerability has been published some hours ago. Microsoft rated this vulnerability as critical, as a remote unauthenticated attacker could exploit it to execute arbitrary code in the vulnerable host.

This vulnerability is caused due to a bug in the Windows Server service handling a crafted RPC request.

The vulnerability affects almost all the Windows operating systems family, with some differences. On Windows 2000, XP and 2003 an attacker could exploit this vulnerability without the need of a username and password. However, the exploitation in Windows Vista and Windows Server 2008 requires a valid username and password.

The really interesting thing about all of this is that Microsoft published the following in its Security Bulleting:

It is possible that this vulnerability could be used in the crafting of a wormable exploit.

Just after a few hours reliable exploits are already available and what is more, a worm has been already found in the wild exploting this vulnerability.

The name of the worm is Gimmiv.A and uses this vulnerability to spread over the network. On infection, the worm injects two DLLs into the services.exe address space. After that, the worm retrieves information from the compromised host (including passwords from the Windows protected storage) and posts it in encrypted form to a remote host.

The worm posts the details to a number of hosts, including

At the time of writing the host is up and running and contains details of 3779 hosts stored int the file.

The worm also downloads the following image stored on the server:

Microsoft and SECFORCE recommends that customers apply the update immediately as other versions of worms exploiting this vulnerability are likely to be released.

Penetration testing with IPv6

Tuesday, October 14th, 2008

Today has been released the Uninformed (number 10) magazine. As usual it is a very interesting read, with very nice and technical articles there. One of them caught my eye, written by H D Moore – Exploiting Tomorrow’s Internet Today, Penetration testing with IPv6.

IPv6 is an Internet layer protocol designed to substitute the current IPv4. The article covers the basics of IPv6 such as configuration and addressing standards.

Later in the article the author some of the common tasks of penetration testing focusing on IPv6 protocol:

Network Discovery

Van Hauser’s IPv6 Attack Toolkit contains a tool for this. The alive6 tool sends an ICMP6 packet using Neighbor Discovery protocol:

# alive6 eth0
Alive: fe80:0000:0000:0000:xxxx:xxff:fexx:xxxx
Alive: fe80:0000:0000:0000:yyyy:yyff:feyy:yyyy

Found 2 systems alive

Tools ip and ping6 can also be used for that:

# ping6 -c 3 -I eth0 ff02::1 >/dev/null 2>&1
# ip neigh | grep ^fe80
fe80::211:43ff:fexx:xxxx dev eth0 lladdr 00:11:43:xx:xx:xx
fe80::21e:c9ff:fexx:xxxx dev eth0 lladdr 00:1e:c9:xx:xx:xx
fe80::218:8bff:fexx:xxxx dev eth0 lladdr 00:18:8b:xx:xx:xx

H D More also covers the use of Nmap and Metasploit against IPv6 hosts.

It is interesting the use of socat to ‘translate’ from IPv4 to IPv6 and then being able to use the common penetration testing tools:

$ socat TCP-LISTEN:8080,reuseaddr,fork TCP6:[IPv6%eth0]:80

In the example above socat creates and binds a local IPv4 port (8080) to a remote IPv6 service which was listening on port 80. After running the command above, the penetration tester can confortably use the common web assessment tools such as nikto o web proxies even if they don’t natively support IPv6.

SCADA Security

Friday, October 10th, 2008

It is interesting to see how security research is a kind of a living being. Almost by nature security rearchers focus their efforts in whatever is more familiar to them, resulting in a vast amount of time dedicated to fairly accessible products such as Microsoft Windows operating systems, MS Office, Linux in its different flavours, etc.

This leaves a gap in the security industry where highly deployed systems (sometimes critical for government infrastructure) remain untested and its security is several years behind the avarage IT system.

Two clear examples of this are MPLS and SCADA systems. Given the fact that these systems are rarely found in penetration testing engagements and independent researchers struggle to find a suitable environment for testing, it doesn’t come to a surprise their security doesn’t match nowadays avarage.

Last week there was two vulnerabilities affecting SCADA systems:

In a world where stack buffer overflows are among species threatened with extinction it is rather suprising reading this kind of vulnerabilities. There is no doubt that due to a number of circunstances security research has been appart from these technologies.

Cisco config retrieval tool and password reuse

Wednesday, October 8th, 2008

The other day we were at a client site doing a penetration test. This was a very big deployment with almost 100 routers. At some point during the test we managed to get the read/write community string of one of the routers, as there was a script with the hard-coded credentials.

We managed to connect to the router with the SNMP credentials and pulled the Cisco config file. After that, we decoded the telnet and enable passwords and we were ready to go. We tried (with no much hope initially) a couple of other routers reusing the telnet password and they all worked. Every single router was protected with exactly the same password.

We had limited time and the prospect of telneting 100 routers pulling config files was not very appealing so we wrote a nice python script to pull them for us. We released the tool in our research section, so check it out if you are interested.

The lesson to learn here is that no matter how confident you are about the strength of your password because it can be potentially compromise and if you are reusing it, the impact for the business becomes critical.

WordPress SQL column truncation vulnerability

Wednesday, October 8th, 2008

This vulnerability has been published some days ago where an attacker could create a duplicated “admin” user and recover the legitimate “admin” password. SQL column truncation is an attacking technique whereby an attacker take advance of some kind of mismatch between an application and the database structure used by it.

Let’s have a look to the vulnerable code.

In schema.php in the wordpress application it is defined the creation of the database table containing users:

CREATE TABLE $wpdb->users (
ID bigint(20) unsigned NOT NULL auto_increment,
user_login varchar(60) NOT NULL default '',

As we can see, the user_login field has a length of 60 bytes. However, the application does not enforce this limitation and allows longer usernames.

An attacker could create a user called “admin[55 spaces]X”. The last “X” is character 61 and therefore will be ignored by the database.

Later in the code, we can see that the user_login field is trim()ed and all the spaces are removed, so it becomes “admin”:

if ( strstr($_POST['user_login'], '@') ) {
$user_data = get_user_by_email(trim($_POST['user_login']));
if ( empty($user_data) )
$errors->add('invalid_email', __('ERROR: There is no user registered with that email address.'));
} else {
$login = trim($_POST['user_login']);
$user_data = get_userdatabylogin($login);

In summary, this is a very creative vulnerability and an interesting vector of attack.



July 2014
April 2014
March 2014
February 2014
August 2013
June 2013
February 2013
January 2013
December 2012
November 2012
October 2012
January 2012
October 2011
September 2011
July 2011
June 2011
April 2011
February 2011
January 2011
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008


Aircraft security (1)
Business Continuity (2)
cyber security (2)
Embedded devices security (2)
exploit (8)
Fuzzing (1)
Penetration Testing (41)
Phishing (3)
Risk Management (5)
Security architecture (2)
Security Books (1)
Security Compliance (1)
Security research (9)
social engineering (1)
social media (1)
sql injection (3)
SQL Server (3)
Tools (13)
Uncategorized (2)
Vulnerabilities (10)
SECFORCE - penetration testing
  SECFORCE - penetration testing Aegon House, 13 Lanark Square
Canary Wharf - E14 9QD, London
SECFORCE - penetration testing Direct Line +44 (0) 845 056 8694
E-mail SECFORCE - penetration testing
  Follow us in Twitter Check us out in LinkedIn SECFORCE is CREST certified. Click on the logo for more information ISO9001 ISO27001
SECFORCE - penetration testing
    Copyright (c) 2014 SECFORCE Ltd · All Rights Reserved